Django REST Framework – Separate permissions per methods

Permissions are applied to the entire View class, but you can take into account aspects of the request (like the method such as GET or POST) in your authorization decision.

See the built-in IsAuthenticatedOrReadOnly as an example:


class IsAuthenticatedOrReadOnly(BasePermission):
    The request is authenticated as a user, or is a read-only request.

    def has_permission(self, request, view):
        if (request.method in SAFE_METHODS or
            request.user and
            return True
        return False

Leave a Comment